Re: selinux preventing Bugzilla on FC5

From: Paul Howarth <paul city-fan org>

To: James Garrison <jhg athensgroup com>

Cc: fedora-selinux-list redhat com

Subject: Re: selinux preventing Bugzilla on FC5

Date: Fri, 12 May 2006 09:07:53 +0100

On Thu, 2006-05-11 at 18:21 -0500, James Garrison wrote:
> The continuing saga....
>
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.041:16): avc:
> > denied { read } for pid=19398 comm="index.cgi" name="resolv.conf"
> > dev=md1 ino=1106152 scontext=user_u:system_r:httpd_sys_script_t:s0
> > tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:17): avc:
> > denied { create } for pid=19398 comm="index.cgi"
> > scontext=user_u:system_r:httpd_sys_script_t:s0
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:18): avc:
> > denied { create } for pid=19398 comm="index.cgi"
> > scontext=user_u:system_r:httpd_sys_script_t:s0
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket
> > May 11 18:11:05 bugzilla kernel: audit(1147389065.045:19): avc:
> > denied { shutdown } for pid=19398 comm="index.cgi"
> > scontext=user_u:system_r:httpd_sys_script_t:s0
> > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
>
> It seems like I'm just going to have to keep trying and adding new
> allow rules, 2 or 3 at a time, until I've hit everything not allowed
> by selinux. Surely I'm not the first person to try to get Bugzilla
> running on FC5?
>
> Is there a better way to do this than trial and error?
You could put SELinux in permissive mode:
# setenforce 0
then run bugzilla and get all of the SELinux denials logged, so you can
deal with them all in one go. Then turn enforcing mode back on:
# setenforce 1
You might also consider looking at the bugzilla package currently making
its way through the Fedora Extras review process:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359
This probably doesn't include any SELinux support (at least not yet),
but might be better to use from a maintainability standpoint.
Paul.